b'          EVALUATION REPORT\n\n                         REDACTED VERSION\n              Office of the Inspector General Information\n               System Security Evaluation of Region I-\n                           King of Prussia, PA\n\n                  OIG-09-A-20      September 30, 2009\n\n\n\n\nAll publicly available OIG reports (including this report) are accessible through\n                              NRC\xe2\x80\x99s Web site at:\n             http:/www.nrc.gov/reading-rm/doc-collections/insp-gen/\n\x0c      Office of the Inspector General\nInformation System Security Evaluation of\n      Region I \xe2\x80\x93 King of Prussia, PA\n\n\n\n\n    Contract Number: GS-00F-0001N\n     Delivery Order Number: 20291\n\n          September 30, 2009\n\x0cEXECUTIVE SUMMARY\n\n\nBACKGROUND\n\n           The U.S. Nuclear Regulatory Commission (NRC) has four regional offices that conduct\n           inspection, enforcement, investigation, licensing, and emergency response programs for\n           nuclear reactors, fuel facilities, and materials licensees. The Region I office operates\n           under the direction of a Regional Administrator and is located in King of Prussia,\n           Pennsylvania. The region covers an 11-state area and the District of Columbia, including\n           8 states with nuclear power plants. Region I also oversees materials licensees in Region\n           II.\n\n           On December 17, 2002, the President signed the E-Government Act of 2002, which\n           included the Federal Information Security Management Act (FISMA) of 2002. FISMA\n           outlines the information security management requirements for agencies, which include\n           an annual independent evaluation of an agency\xe2\x80\x99s information security program1 and\n           practices to determine their effectiveness. This evaluation must include testing the\n           effectiveness of information security policies, procedures, and practices for a\n           representative subset of the agency\xe2\x80\x99s information systems. FISMA also requires\n           assessment of compliance with FISMA requirements and related information security\n           policies, procedures, standards, and guidelines. FISMA requires the annual evaluation to\n           be performed by the agency\xe2\x80\x99s Inspector General or by an independent external auditor.\n\n           The NRC Office of the Inspector General (OIG) requested that the four NRC regional\n           offices and the Technical Training Center (TTC) be included in the independent\n           evaluation of the agency\xe2\x80\x99s implementation of FISMA for fiscal year 2009. Information\n           security policies, procedures, and practices at the regional offices and the TTC were last\n           assessed in 2003 and 2006. This report describes evaluation findings for Region I.\n\nPURPOSE\n\n           The objectives of the information system security evaluation of Region I were to:\n\n               \xef\x82\xb7   Evaluate the adequacy of NRC\xe2\x80\x99s information security program and practices for\n                   NRC automated information systems as implemented at Region I.\n               \xef\x82\xb7   Evaluate the effectiveness of agency information security control techniques as\n                   implemented at Region I.\n               \xef\x82\xb7   Evaluate corrective actions planned and taken as a result of previous OIG\n                   evaluations.\n\n\n\n\n1\n    For the purposes of FISMA, the agency uses the term \xe2\x80\x9cinformation system security program.\xe2\x80\x9d\n\x0cRESULTS IN BRIEF\n\n      Region I has made improvements in its implementation of NRC\xe2\x80\x99s information system\n      security program and practices for NRC automated information systems since the\n      previous evaluations in 2003 and 2006. All corrective actions from the previous\n      evaluations have been implemented. However, the information system security program\n      and practices are not always consistent with the NRC\xe2\x80\x99s automated information systems\n      security program as defined in Management Directive (MD) and Handbook 12.5, NRC\n      Automated Information Systems Security Program, other NRC policies, FISMA, and\n      National Institute of Standards and Technology (NIST) guidance. While many of the\n      Region I automated and manual security controls are generally effective, some security\n      controls need improvement. Areas needing improvement included continuity of\n      operations and emergency planning, and configuration management. Specifics cannot be\n      presented in this publicly released version of the report.\n\n\nRECOMMENDATIONS\n\n      This report makes recommendations to the Executive Director for Operations to improve\n      NRC\xe2\x80\x99s information system security program and implementation of FISMA at Region I.\n\x0c'